cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
711
Views
0
Helpful
13
Replies
Highlighted

dACL's Logging

Hi Experts,

 

I just need a simple yes or no.  Does logging work for dACL's and if it does work how do we see the logging info?

 

Much appreciated,

-Robert

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Enthusiast

Re: dACL's Logging

Ok, I'm testing with the 12port version of that switch. running code 15.2(6)E1

 

I also see hits:

Extended IP access list shure_acl
    5 permit igmp any any (15 matches)
    10 permit udp any eq snmptrap any
    20 permit udp any range 319 320 any
    30 permit udp any eq 2203 any
    40 permit udp any eq 4321 any
    50 permit udp any range 14336 14600 any
    60 permit udp any eq 4440 any
    70 permit udp any eq 4444 any
    80 permit udp any eq 4455 any
    90 permit udp any eq 5353 any (7 matches)
    100 permit udp any range 8700 8706 any (275 matches)
    110 permit udp any eq 8800 any
    120 permit udp any eq 8751 any
    130 permit udp any range 16000 65535 any
    140 permit icmp any any
    150 permit udp any any eq bootpc
    160 permit udp any 10.0.0.0 0.255.255.255 eq ntp
    170 permit tcp any 10.0.0.0 0.255.255.255 eq domain
    180 permit udp any 10.0.0.0 0.255.255.255 eq domain
    190 permit ip any host 10.200.105.31
    200 permit ip any host 10.200.105.32
    210 permit ip any host 10.200.105.33
    220 permit ip any host 10.200.105.34
    230 permit ip any host 10.200.105.35
    240 deny ip any any log (98 matches)

However, ACE #240 with the 'log' syntax does not log to the switch buffer.

 

In other words, if I do a 'sh log' I never see any entries for the DACL.

View solution in original post

13 REPLIES 13
Highlighted
Enthusiast

Re: dACL's Logging

Highlighted

Re: dACL's Logging

TY much. 

Highlighted
Cisco Employee

Re: dACL's Logging

I just checked using a switch in my lab and was able to see if there were matches from a dACL sent by ISE.  I used "show access-lists."  Hope that helps

 

Regards,

Tim

Highlighted
Enthusiast

Re: dACL's Logging

Do you see actual hits? or just that the ACLs now exist on the device?

Highlighted
Cisco Employee

Re: dACL's Logging

I see the number of hits.

Regards,
Tim

Re: dACL's Logging

I see the dACL being applied but i do not see hits. Please share if you do see so!!! :)
Highlighted
Cisco Employee

Re: dACL's Logging

I see the dACL applied as well as the number of hits for the ACE. The switch I used was a 3850. Not sure if it applies to all switches though.

Regards,
Tim
Highlighted
Enthusiast

Re: dACL's Logging

What model switch, and what version of code? Also, paste the output?

 

I had a tac case open for a good month (684684694 if you're interested). I have dacl logging working on one switch in our environment on a specific version of code. But this functionality isn't listed in any of the release notes as a new feature. Using the feature search tool gives no good results either.

 

Highlighted

Re: dACL's Logging

Its a little 12 port switch used for testing. 

 

S-SecurityTestDEV#sho ver
Cisco IOS Software, C3560CX Software (C3560CX-UNIVERSALK9-M), Version 15.2(4)E2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Mon 27-Jun-16 09:08 by prod_rel_team

ROM: Bootstrap program is C3560CX boot loader
BOOTLDR: C3560CX Boot Loader (C3560CX-HBOOT-M) Version 15.2(3r)E2, RELEASE SOFTWARE (fc2)

S-SecurityTestDEV uptime is 2 hours, 12 minutes
System returned to ROM by power-on
System restarted at 08:52:55 CDT Thu Aug 2 2018
System image file is "flash:/c3560cx-universalk9-mz.152-4.E2/c3560cx-universalk9-mz.152-4.E2.bin"
Last reload reason: power-on

 

 

Switch Ports Model                     SW Version            SW Image                
------ ----- -----                     ----------            ----------              
*    1 12    WS-C3560CX-8PC-S          15.2(4)E2             C3560CX-UNIVERSALK9-M   

 

Highlighted
Enthusiast

Re: dACL's Logging

Ok, I'm testing with the 12port version of that switch. running code 15.2(6)E1

 

I also see hits:

Extended IP access list shure_acl
    5 permit igmp any any (15 matches)
    10 permit udp any eq snmptrap any
    20 permit udp any range 319 320 any
    30 permit udp any eq 2203 any
    40 permit udp any eq 4321 any
    50 permit udp any range 14336 14600 any
    60 permit udp any eq 4440 any
    70 permit udp any eq 4444 any
    80 permit udp any eq 4455 any
    90 permit udp any eq 5353 any (7 matches)
    100 permit udp any range 8700 8706 any (275 matches)
    110 permit udp any eq 8800 any
    120 permit udp any eq 8751 any
    130 permit udp any range 16000 65535 any
    140 permit icmp any any
    150 permit udp any any eq bootpc
    160 permit udp any 10.0.0.0 0.255.255.255 eq ntp
    170 permit tcp any 10.0.0.0 0.255.255.255 eq domain
    180 permit udp any 10.0.0.0 0.255.255.255 eq domain
    190 permit ip any host 10.200.105.31
    200 permit ip any host 10.200.105.32
    210 permit ip any host 10.200.105.33
    220 permit ip any host 10.200.105.34
    230 permit ip any host 10.200.105.35
    240 deny ip any any log (98 matches)

However, ACE #240 with the 'log' syntax does not log to the switch buffer.

 

In other words, if I do a 'sh log' I never see any entries for the DACL.

View solution in original post

Highlighted
Enthusiast

Re: dACL's Logging

We've been trying to send 'permit ip any any log' DACLs to specific iot endpoints in the lab network.

The thought being, we'll monitor the logs and determine how the endpoint communicates and what we need to permit. But just seeing whether a rule is being hit or not, has not been very useful.
Highlighted
Beginner

Re: dACL's Logging

I learned that these acls are processed in hardware and the hit count option is for access lists processed In software like the ones applied on SVI or layer 3 interfaces. So looks like you may not see the hits, unless the the switch you have processes this in a different way.

Highlighted
Beginner

Re: dACL's Logging

I learned that these acls are processed in hardware and the hit count option is for access lists processed In software like the ones applied on SVI or layer 3 interfaces. So looks like you may not see the hits, unless the the switch you have processes this in a different way.

Everyone's tags (2)